A Resilient Post Quantum Key Management System for Cloud-based SaaS using CRYSTALS-Kyber and Dilithium

DOI

10.2991/978-94-6239-616-6_107How to use a DOI?

Keywords

Post Quantum Cryptography (PQC); Key Management System (KMS); Kyber; Dilithium; AES; Quantum-Resilient Security; Digital Signatures; Key Encapsulation; REST API; SaaS

Abstract

The move toward cloud-provided-software-as-a-service (SaaS) key management systems (KMS) introduces new, pressing security threats of quantum computing. The novelty of this work is to hybrid combine CRYSTALS-Kyber, NIST standardised, and Dilithium algorithm both for key encapsulation and digital signature that offer a scalable quantum-resilient KMS as a SaaS in a pragmatic scenario. Major contributions include a real-world deployment architecture, describing REST API workflows for on-they-fly key generation and validation, carrying out performance comparison with classical KMS benchmarks showing security improvements and future-proofing of data protection. These systems rely primarily on traditional public-key cryptography, which is susceptible to attacks by large quantum computers. This poses an immediate security threat, particularly in the context of long-term data confidentiality, to which “Harvest Now, Decrypt Later” (HNDL) attacks are a prevalent threat. To mitigate this issue, we propose a practical and secure KMS architecture for quantum era that is provided as SaaS.

We propose the use of standard post-quantum cryptography (PQC) using the NIST-approved CRYSTALS suite. It uses a hybrid cryptographic approach to deliver optimal performance and security. It generates AES-256 symmetric keys on-the-fly using a secured REST API. Then the keys are encapsulated with CRYSTALS-Kyber for post-quantum secret protection. For guarantees on integrity and authenticity, operations are digitally signed with CRYSTALS-Dilithium. The encapsulated keys and their associated signatures are secure in the cloud - which only you can access - via a unique identifier alongside robust OAuth2-based sign-ins.

By integrating these PQC ingredients into an existing SaaS KMS blueprint, this study provides a gentle learning curve to organizations. It preserves simple and scalable use of modern cloud services while making sure that cryptographic key management is sufficiently secure against emerging threats such as those from quantum computing. This method is critically important, a practical means of maintaining long-term trust and protecting data.

Copyright

© 2026 The Author(s)

Open Access

Open Access This chapter is licensed under the terms of the Creative Commons Attribution-NonCommercial 4.0 International License (http://creativecommons.org/licenses/by-nc/4.0/), which permits any noncommercial use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

Download article (PDF)

TY  - CONF
AU  - N. Kalaiselvi
AU  - S. Suriya Prasaad
AU  - A. Jayakandhan
AU  - C. Madhan
PY  - 2026
DA  - 2026/03/31
TI  - A Resilient Post Quantum Key Management System for Cloud-based SaaS using CRYSTALS-Kyber and Dilithium
BT  - Proceedings of the International Conference on Artificial Intelligence and Secure Data Analytics (ICAISDA 2025)
PB  - Atlantis Press
SP  - 1488
EP  - 1503
SN  - 1951-6851
UR  - https://doi.org/10.2991/978-94-6239-616-6_107
DO  - 10.2991/978-94-6239-616-6_107
ID  - Kalaiselvi2026
ER  -